İCO. 


Information Commissioner’s Office 


The ICO’s regulatory approach 


Our role as an independent regulator is to act in the public interest, and 
our approach has always been to be a pragmatic and proportionate 
regulator. 


We must continue to focus our priorities and our resourcing, so that we 
retain the right balance, focusing on those issues likely to cause the 
greatest public harm. 


We understand that organisations are trying to operate during uncertain 
and challenging times, and we will take into account the context the 
organisations we regulate are operating in, whilst acknowledging the 
important role that people’s information rights continue to have, both 
around privacy protections and transparency of decision making by public 
bodies. 


Background: 


We are committed to an empathetic and pragmatic approach, focusing on 
issues of greatest risk, and will demonstrate this through our actions: 


e We will continue to recognise the rights and protections granted to 
people by the law, both around their personal information and their 
right to freedom of information. We recognise that confidence in how 
personal data is used and safeguarded is a key determining factor in 
how willing the public are to engage with initiatives that use personal 
data and publicly available information. 


e We will focus our efforts on the most serious risks and greatest 
threats to the public. 


e We recognise that organisations are having to react quickly to new 
risks and initiatives; we will assist organisations by providing advice 
and guidance on data protection laws and how to meet their 
obligations in response to new requirements and initiatives. 


e We will take firm action against those looking to exploit the public 
through nuisance calls or by misusing personal information. 


e We will be flexible in our approach, taking into account the impact of 
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the potential economic or resource burden our actions could place on 
organisations, particularly those engaged in tackling unprecedented 
circumstances or supporting vulnerable people. 


e We will continue to provide effective support to businesses and public 
authorities, focusing on how we can accelerate and expand our 
sandbox, provide more upstream advice, and better support 
innovation. 


Engagement with the public and organisations: 


We remain committed to continuing to support the public and organisations 
through this period. 


e We will continue to identify and fast track advice, guidance or tools 
that will have the most impact in helping public authorities and 
businesses. This work will build on the success of our information 
hubs, accountability framework and self-assessment FOI toolkit. 


e We will continue to ensure that the public can raise complaints with 
us about information rights concerns; and we will use insight from 
our public advice services, complaints, investigations and horizon 
scanning to inform how we can engage with the public to better 
uphold their privacy rights. 


e We will continue to develop further regulatory measures aimed at 
supporting economic growth and recovery including our advice 
services and sandbox. 


e We expect that organisations should be able to deal with complaints 
they receive from members of the public. Where organisations have 
a backlog of complaints, we expect them to have robust recovery 
plans in place to ensure they reduce these backlogs within a 
reasonable timeframe. 


e We will continue to proactively engage with businesses and public 
authorities to better understand how they can deal with information 
rights complaints in a timely manner. 
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Regulatory action: 


We will continue to act proportionately and in line with the ICO’s Regulatory 
Action Policy so that we balance the benefits to the public and the 
dissuasive effect of taking regulatory action against the effect of doing so 
on regulated organisations, taking into account the particular challenges 
being faced by organisations and the UK economy at this time. 


e Organisations should continue to report personal data breaches to us, 
without undue delay. This should be within 72 hours of the 
organisation becoming aware of the breach. 


e We will continue to prioritise investigations that present the greatest 
harm to the public. Where we conduct investigations, we will seek to 
understand the individual challenges faced by organisations and will 
consider the impact and the present economic situation on the 
organisation. 


e We will continue to take a strong regulatory approach against any 
organisation breaching data protection laws aimed at taking 
advantage of current circumstances. 


e As set out in the Regulatory Action Policy, before issuing fines we 
consider the economic impact and affordability. 


e We will undertake risk-based audit work on an offsite basis 
recognising the restrictions that remain in force. 
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Freedom of Information Act and Environmental Information 
Regulations: 


We continue to adopt an empathetic and pragmatic approach in regulating 
access to information regulation, recognising the importance of 
transparency, especially where people have seen their civil liberties 
impacted, and also the potential impact on public authorities’ timeliness in 
supplying information in current circumstances. 


e We will continue to accept new information access complaints. We 
will take a pragmatic approach to resolving these complaints, while 
reflecting that the majority of public authorities have told us that their 
capacity has increased. 


e Where public authorities have complaint backlogs, we expect 
organisations to establish recovery plans focused on bringing the 
organisation back within compliance with the Freedom of Information 
Act within a reasonable timeframe. 


e We will continue to encourage public authorities to be transparent 
and proactively publish information they know will be of importance 
to their communities, both in relation to their handling of the 
pandemic and their usual functions. 


e We will expect organisations to appreciate the ongoing importance of 
proper record keeping during a period that will be subject to future 
public scrutiny. The Codes of Practices at sections 45 and 46 of the 
Freedom of Information Act (2000) make clear the expectations 
placed upon public authorities in respect of both discharging their 
responsibilities and record keeping in general and we will continue to 
expect that the standards in place are maintained. 
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